| 3 |
- |
1 |
# Fail2Ban filter file for named (bind9).
|
|
|
2 |
#
|
|
|
3 |
|
|
|
4 |
# This filter blocks attacks against named (bind9) however it requires special
|
|
|
5 |
# configuration on bind.
|
|
|
6 |
#
|
|
|
7 |
# By default, logging is off with bind9 installation.
|
|
|
8 |
#
|
|
|
9 |
# You will need something like this in your named.conf to provide proper logging.
|
|
|
10 |
#
|
|
|
11 |
# logging {
|
|
|
12 |
# channel security_file {
|
|
|
13 |
# file "/var/log/named/security.log" versions 3 size 30m;
|
|
|
14 |
# severity dynamic;
|
|
|
15 |
# print-time yes;
|
|
|
16 |
# };
|
|
|
17 |
# category security {
|
|
|
18 |
# security_file;
|
|
|
19 |
# };
|
|
|
20 |
# };
|
|
|
21 |
|
|
|
22 |
[Definition]
|
|
|
23 |
|
|
|
24 |
# Daemon name
|
|
|
25 |
_daemon=named
|
|
|
26 |
|
|
|
27 |
# Shortcuts for easier comprehension of the failregex
|
|
|
28 |
|
|
|
29 |
__pid_re=(?:\[\d+\])
|
|
|
30 |
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
|
|
|
31 |
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
|
|
|
32 |
|
|
|
33 |
# hostname daemon_id spaces
|
|
|
34 |
# this can be optional (for instance if we match named native log files)
|
|
|
35 |
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
|
|
|
36 |
|
| 33 |
- |
37 |
failregex = ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
|
|
|
38 |
^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$
|
|
|
39 |
^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$
|
| 3 |
- |
40 |
|
| 33 |
- |
41 |
ignoreregex =
|
|
|
42 |
|
| 3 |
- |
43 |
# DEV Notes:
|
|
|
44 |
# Trying to generalize the
|
|
|
45 |
# structure which is general to capture general patterns in log
|
|
|
46 |
# lines to cover different configurations/distributions
|
|
|
47 |
#
|
|
|
48 |
# Author: Yaroslav Halchenko
|